MSP430FR2433: BSL & JTAG Lock - Lunchpad & Custom PCB

Hi Con,

I think there is a slight misunderstanding on your side on the available options of the JTAG and BSL security options.

Please see this table, which you can find in the MSP430FR2433 User's Guide.

The option related to the automatic mass erase and BSL are either enabling the mass erase of the entire device on access attempt using a wrong password, or disabling it. There is no option for locking the BSL or the JTAG upon a wrong password transmission.

Please keep in mind, the mass erase option, if enabled gives you the possibility regaining the access to the device also in case when you don't have the correct password, as transmitting the wrong password would trigger the mass erase. This would also erase the interrupt vector table, which results in a known password, which could be used to unlock the JTAG. It does not disclose the code image to the attacker, as you regain the access to a completely erased device. But someone could reprogram your HW with his code this way.

The best source for further information on BSL features related to our MSP430 FRAM devices is the MSP430™ FRAM Devices Bootloader (BSL) User's Guide slau550q.pdf .

Dependent on the selected mode for the BSL security, there are respective options to check, whether you have implemented the correct settings.

1. BSL disabled completely. >> you cannot regain access to the device by the above described multi step approach with erase of the device.

2. BSL password protected with mass erase enabled >> you can regain access to the device by erasing it with wrong password.

For debugging purposes you could also leave the JTAG unlocked, and by this in debug mode check the signatures you're applying to the BSL.

Best regards

Peter

Hello Peter,

Thank you very much for suggestions apologies it took a bit to reply. 

yes indeed i misphrased it i want this you are correct -> BSL password protected with mass erase enabled. 

So will the rocket be required and abel to confirm the JTAG and BSL "lock"? 

(I would assume you as well find that investing time in the IPE option too much for this cause since everything will be protected anyway...)

Thanks,

Con

Thanks for your reply Peter it has been helpful.

Since ez-FET on MSP-EXP430FR2433 uses SBW which is a JTAG implementation and both are locked together I have confirmed the lock just by trying to access with CSS.  (And I got the message that JTAG is secured, therefore MSP-FET might be an overkill in my case, for now)

Applied the lock f in-system  as per the guideline->

#pragma RETAIN(JTAG_signatures)

#pragma DATA_SECTION(JTAG_signatures, ".jtagsignature")

const uint16_t JTAG_signatures[] = {0xAAAA, 0x0002};

I just got a BSL Rocket in my hands so today I will be playing around with  the BSL as well I hope. 

Just one last thing which still confuses me a bit please if you can elaborate:

In SLAU550S, section 3.6.1.2 shows it’s possible to change the BSL signature and password through the cmd file just as the JTAG signature as above.(perhaps only for FR235x and FR215x?). So I assume that’s not possible FR2433 since I can only find .bslsignature and .jtagsignature in its .cmd. However, the addresses for the BSL password are FFFFh to FFE0h (User defined + Vector table configuration) (The BSL password is equal to the content of Interrupt Vector table on the device as stated in the same document). Therefore if understand correctly the password and signatures/configuration is located In the top of FRAM in interrupt vectors  (which range is FFFFh to FF80h) while the BSL itself is in ROM. So couldn’t one disable the FRAM Write Protection and write on these addresses in order to set a new BSL password using an in-system approach as with JTAG?  It confuses me why FF80h-83h for JTAG signature and FF84 to FF87 BSL signature are accessible but BSL password is not through .cmd?

Thanks a lot again, regards,

Con